Microsoft has taken the unusual step of issuing a workaround for a new security bug involving Microsoft Office a day before its regular Patch Tuesday update.
Hacking attacks targeting a vulnerability in the Snapshot Viewer ActiveX control for Microsoft Access prompted Redmond's security gnomes to issue an advisory on Monday. …

Figures

Hmm why don't Microsoft just give up and KILL ActiveX totally and re-write the whole stack. Ever since I first used IE I figured ActiveX hmm sounds dubious at best, then I got hit by a few drive by downloads or well they got about as far as my AV alerting me and killing them stone dead. Javascript loaded Java control loading hidden "ActiveX controls" that attempted to malware me..

But wait...

>> Some of these involve preventing COM objects from running in Internet Explorer, or disabling scripting. The first of these means using the Registry Editor, where mistakes can really screw up your system, while the second might leave users unable to use many websites normally. Given these choices, less technically knowledgeable Windows users might do better to use either Firefox or Opera pending the availability of a patch, which Microsoft has begun to develop.

So if I disable COM objects in IE I might be "unable to use many websites normally" but if I use Firefox or Opera which don't support ActiveX in the first place these same web sites will continue to work?

"serious ActiveX flaw"

I had to smile when I read that subheading.

ActiveX doesn't have any serious flaws. The whole damned thing has been a serious flaw, from inception onwards.

One of the O'Reilly books on HTML published shortly after the debut of ActiveX included an explicit warning "don't use ActiveX, it's a security hazard." It's not like the security issues associated with ActiveX weren't understood until recently.

I cannot comprehend Microsoft's obstinate refusal to admit that they made a HUGE design error with ActiveX. The handwriting was on the wall right at the start, but no, they've forged ahead with their mistaken software tech ever since.

I love to play at MS-watching (sort of like Peking-watching in the days of Mao), but in this case I can't imagine what kind of pathological corporate structure leads to the retention of a system that has repeatedly been demonstrated to be a, if not *the*, major source of security holes.

Do the marketing wonks have too much say? Is it a pet project of Ballmer's? Is ActiveX a product for which no one person is responsible? Does anyone know?

Quality is job one

Code quality comes only by examination. Could one of Shakespeare's sonnets be improved by examination of his peers? Possibly. Can the essence of his plots be removed from modern literature? Never. Thus a few steps towards code quality reveal the essential flaw in the Microsoft code skeleton - your bad designs were never subjected to the withering criticism of your peers, and now we all have to suffer for it.

@ Eddie Johnson

Reality and the web

I think we all agree that ActiveX was a hack thrown together by Microsoft in an attempt to leapfrog Netscape in the browser market. The problem is, a lot of people/companies use ActiveX controls. Regarding, "I've yet to see an ActiveX control that works consistantly.", I assume you've never seen Adobe Flash that shows up on most major websites without any issue. It's an ActiveX control! Microsoft can't "...just give up and KILL ActiveX ..." because all those websites and companies that use and implement ActiveX controls will scream bloody murder without a significant amount of handholding to move them to a new solution. Try removing the Plugin technology from Mozilla and see how many happy customers you have left.

Now, I agree that MS has acted pretty poorly in not attempting to wean their development community off of ActiveX years ago and providing a cutoff date for ActiveX. Let's hope that they properly address in IE 8 rather than continue to use bandaids to deal with ultimately is a sucking chest wound in the security of their browser.

Oh, regarding the "Code quality - the missing ingredient ..." statement. MS has many applications with exposed interfaces to make it easier for users like you or I to script their applications to do interesting things because "we" demanded it. To then turn around and slam them because someone found an obscure backdoor through IE/ActiveX to these exposed interfaces and say that "...see, if they had let me look at the code, this wouldn't happen" is flawed logic at best or just blatantly ignorant at worst. MS runs millions of tests per day against these apps to find and prevent security flaws. Bugs still get through when an unforseen interaction takes place. It doesn't matter if you have an extra hundred eyes pouring over the code because very few people spend their lives just looking at code. People go and look at code when an issue occurs. Why do you think the XP testing scheme is, if you find a bug, write a test case that can reproduce that bug, fix it, verify the test case passes? It isn't "pour through the code and try to imagine bugs that can occur".

Ultimately I will admit I much prefer having the source code available when I encounter a bug with a system, but hey, if I don't like how MS does business I can always choose a different solution.